Breaches are more common than ever, phishing scams continue to have success and AI is helping to take cybercrime to a whole new level. Hornetsecurity’s Cyber Security Report 2024 analyzed 45 billion emails sent in 2023 — 3.6% were considered malicious. That’s 1.6 billion potentially harmful emails. Almost half of all email-based attacks use phishing to obtain the passwords of users. If a user falls for a phishing scam and their credentials are compromised, multi-factor authentication (MFA) or two-factor authentication (2FA) provide an additional safeguard against a breach.
But when is 2FA enough, and when should organizations implement MFA?
MFA uses authentication factors such as a pin, an SMS code, an authenticator code and/or a biometric (fingerprint, retina, facial recognition). Some systems also use location verification as part of the login process. The more factors there are, the harder it is for an attacker to penetrate accounts and breach an organization.
With MFA active, if a hacker cracks a password, they still need at least one more item to be able to do any damage. Without it, they are unable to complete the authentication process to demonstrate they are the actual owner of an account.
As the name implies, 2FA uses two authentication factors. After the user enters a username and password, they are prompted to take an added step, such as entering a code from a mobile phone-based push-notification, an SMS message or some other method.
The terms 2FA and MFA are sometimes used interchangeably. This is because 2FA is really a subset of MFA. 2FA involves only one additional authentication factor. MFA loosely means two or more methods. However, in the strictest definition, it entails three – or even more for high-security situations. Remember the scene from Mission Impossible: Rogue Nation where Benji (Simon Pegg) has to provide a number of items to enter a facility: digital ID card, a password, retina scan and gait analysis to penetrate a highly secure facility? Well, that’s an example of MFA taken to the extreme.
MFA is stronger than 2FA, but it also has limitations.
2FA may not be as strong as MFA, but it does have certain benefits.
Organizations should gravitate toward 2FA for routine traffic that doesn’t require high security. 2FA is probably enough for many consumers. And in organizations where applications, systems and users don’t deal with sensitive or confidential data, 2FA should be enough. After all, 2FA promises a smoother and simpler user experience. And if the budget is tight, 2FA can be less costly than MFA.
For organizational users, MFA can be more secure as it requires extra authentication factors. While some may not need that level of protection, others do. Even at an individual level, a personal bank account should be safeguarded by MFA. MFA that includes a biometric is the ideal way to go for confidential and financial information. And for sensitive organizational files as well as people working in executive, IT, HR, financial and other prominent organizational positions, MFA helps maintain a higher level of security.
Many organizations don’t yet use 2FA or MFA. The implementation of either one can be a major step toward increased protection. Vade Secure reports that phishing attacks are steadily increasing. They rose by 173% in the third quarter of 2023. In one month alone, over 200 million phishing emails were sent. Even if a tiny percentage of these attempts are successful, it represents a vast number of compromised credentials. 2FA and MFA make life more difficult for hackers.
MFA is the way to go for any organization that needs to protect confidential or sensitive information. But for others, 2FA may be sufficient. It is less expensive, easier to implement and simpler to maintain. For those facilitating between 2FA and MFA, though, a small difference in price and an additional implementation and maintenance burden on IT may be a small price to pay to prevent a serious breach.